Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 06 Jul 2015 09:34:24 +0200
From: Florian Weimer <>
Subject: Re: node.js out of band write

On 07/06/2015 01:51 AM, Mark Felder wrote:
> Node has resolved a security vulnerability in their most recent release
> but do not appear to have requested a CVE ID.
> Node v0.12.6 (Stable)
> Sat, 04 Jul 2015 02:34:23 UTC - release
> This release of Node.js fixes a bug that triggers an out-of-band write
> in V8's utf-8 decoder. This bug impacts all Buffer to String
> conversions. This is an important security update as this bug can be
> used to cause a denial of service attack.

I have trouble reconciling this description with the fix in this commit:


Upstream v8 lacks this change.  Is it required in Node.js because
Node.js pokes at v8 internals in unsupported ways?

Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ